Summary

Warning

The session modules make use of HTTP cookies, and as such can fall
victim to Cross Site Scripting attacks, or expose potentially private
information to clients. Please ensure that the relevant risks have
been taken into account before enabling the session functionality on
your server.

This submodule of mod_session provides support for the
storage of user sessions on the remote browser within HTTP cookies.

Using cookies to store a session removes the need for the server or
a group of servers to store the session locally, or collaborate to share
a session, and can be useful for high traffic environments where a
server based session might be too resource intensive.

If session privacy is required, the mod_session_crypto
module can be used to encrypt the contents of the session before writing
the session to the client.

For more details on the session interface, see the documentation for
the mod_session module.

The SessionCookieName directive specifies the name and
optional attributes of an RFC2109 compliant cookie inside which the session will
be stored. RFC2109 cookies are set using the Set-Cookie HTTP header.

An optional list of cookie attributes can be specified, as per the example below.
These attributes are inserted into the cookie as is, and are not interpreted by
Apache. Ensure that your attributes are defined correctly as per the cookie specification.

The SessionCookieName2 directive specifies the name and
optional attributes of an RFC2965 compliant cookie inside which the session will
be stored. RFC2965 cookies are set using the Set-Cookie2 HTTP header.

An optional list of cookie attributes can be specified, as per the example below.
These attributes are inserted into the cookie as is, and are not interpreted by
Apache. Ensure that your attributes are defined correctly as per the cookie specification.

The SessionCookieRemove flag controls whether the cookies
containing the session will be removed from the headers during request processing.

In a reverse proxy situation where the Apache server acts as a server frontend for
a backend origin server, revealing the contents of the session cookie to the backend
could be a potential privacy violation. When set to on, the session cookie will be
removed from the incoming HTTP headers.

Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.